Werk #15194: Fix command injection via RestAPI / Password Store
| Component | Core & setup |
| Title | Fix command injection via RestAPI / Password Store |
| Date | Aug 2, 2023 |
| Checkmk Edition | Checkmk Raw (CRE) |
| Checkmk Version | 2.0.0p38 2.1.0p32 2.2.0p4 2.3.0b1 |
| Level | Trivial Change |
| Class | Security Fix |
| Compatibility | Compatible - no manual interaction needed |
Prior to this Werk, users with the permissions to (a) use the RestAPI, (b) create passwords in the password store, and (c) create active checks were able to run arbitrary commands on the site.
This issue was found during internal code review.
Affected Versions: * 2.0.0 * 2.1.0 * 2.2.0 prior to version 2.2.0p4
Note that at the point of publishing this Werk and fix, the current version 2.2.0 was already not affected by this issue anymore, as the issue was already mitigated by Werk #15889.
Indicators of Compromise: Check the password store for passwords with unusual identifiers, review add-password events in the audit log.
Vulnerability Management: We have rated the issue with a CVSS Score of 8.8 (High) with the following CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. We have assigned CVE CVE-2023-31209.
Changes: This Werk adds proper sanitization of the affected parameter on core commands.
